Hackers halt production at Iran’s largest crude steel producer
Organizations dealing in the production of Crude Steel are part of the critical manufacturing sector, which is vital to the National Economy and Trade. Products made by these manufacturing industries/organizations are essential to the country’s critical infrastructure sectors, such as defense, infrastructure, and aerospace.
Due to this national reliance on these industries, hackers and hacktivist groups target these organizations to disrupt operations at the plant and other industries connected with the organizations.
On June 27, 2022, the Threat Actor Gonjeshke Darand (Predatory Sparrow) attacked three Iranian steel plants associated with the Iranian Revolutionary Guard Corps (IRGC), commonly referred to as Sepah سپاه, and with the Resistance Mobilization Force/Basij (بسيج). The plants were:
- Khouzestan Steel Company (KSC)
- Mobarakeh Steel Company (Isfahan) (MSC)
- Hormozgan Steel Company (HOSCO)
The TAs provided one proof of concept video, which was followed by a confirmation from Khouzestan steel company (KSC) that they have halted production after technical issues following a cyberattack.
KSC consists of three main production units as below
KSC includes two pelletizing units with a nominal capacity of 3.1 million tons per year. These units convert the concentrated iron ore to produce pellets.
Direct Reduction Plant (DRP)
This unit converts the pellets into sponge iron. The plant comprises four Midrex modules with a more than 4 million tons capacity.
This unit converts sponge iron to Slab, Bloom, and Billets.
The steel-making plant consists of :
- Six Electric Arc Furnaces
- Three Ladle Furnaces (LF)
- Two double strands slab continuous-casting machines
- A six strands bloom continuous-casting machines
- Two six strands billet continuous-casting machines
As per the video shared by the TA, the attack occurred in the steel-making plant unit of KSC. The heatmap below suggests significant thermal activity in the region, despite the steel plant with operations being at a halt.
The video posted by the TAs showcases a steel factory (confirmed to be Khouzestan Steel Company (KSC)) with a date-time timestamp. Workers notice the crucible overflowing at the beginning and move away. After ensuring that nobody is near the crucible, the attackers pour molten steel outside the molds, causing a fire.
The proof shared also included two screenshots, one of an Industrial Control System (ICS). The controls shown were made by another Iranian Systems Engineering and Automation company, IRISA, which has customers including Isfahan Mobarakeh Steel Company, Hormozgan Steel, Khorasan Steel, and Khuzestan Steel, Isfahan Steel, Sangan Khorasan Steel, Kaveh South Kish Steel, etc. In short, this could impact the entire Iranian steel industry.
Searching for “Irisa” live IPs, we found another steel company (Esfahan Steel Company) that uses the same software.
Amongst the screenshots shared by the Twitter handle, one of the screenshots pointed toward network monitoring software PRTG as shown in Figure 7 (PRTG Network Monitoring software) has several vulnerabilities which might have been used as an entry point for the attackers.
Observations from the Screenshot shared by TA
- PRTG screenshots show the overview of assets within the Organization.
- The timestamp provided in the screenshot shows that the TA had access to the PRTG on June 26, 2022.
- The PRTG version being used is outdated.
Cyble Researcher Labs recently authored a blog on this topic, providing an in-depth analysis of “How misconfigured tool allows hackers to gain complete insights of IT/OT network of the organization.”
PRTG is a comprehensive network monitoring tool for Windows-based computers. It is suitable for networks of all sizes and capable of LAN, WAN, WLAN, and VPN monitoring. Organizations can monitor real or virtual web, mail, file servers, Linux systems, Windows clients, routers, and other devices.
Organizations using PRTG or similar network monitoring solutions should ensure that the “Solution or Product being used to gain visibility over assets should not be exposed over the internet and should be updated with recent patches released by the vendor.”
Note: PRTG network monitor has more than 20 vulnerabilities, including remote code execution, Command Injection, CSRF, etc., as shown below.
The infamous Solar Winds attack is a good example of this, where attackers injected malicious code in the update of the IT monitoring system Orion, which is used by multiple public and private organizations globally.
A malicious hacker gaining access to a Network Monitoring Solution can not only exploit it for lateral movement but can also gain a complete overview of assets being used by the organizations, which increases the risk of targeted exploitation.
Overview Of The Threat Actor’s Activities
The TAs involved in the attack are active on Telegram and Twitter, sharing posts that claim responsibility for several attacks on Iranian infrastructure. While we cannot verify these claims, each incident’s overall messaging consistently emphasizes “doing no harm to civilians.”
The first attack that Gonjeshke Darande took credit for was a system-wide attack on Iran’s railroad network on July 9 & 10, 2021.
This attack was followed a day later by an attack on the computer systems of the Ministry of Roads and Urban Development to protest the abuse of funds and money laundering by the state, as stated by the TA (see Figures 10 and 11).
Finally, before the events covered in this advisory, Gonjeshke Darande attacked the National Iranian Oil Product Distribution Company (NIOPDC), but not before allegedly broadcasting a message to emergency vehicle operators to refill their vehicles.
Notably, much like the previous railroad attack, the same phone number was left on digital signage – 64411, which is allegedly the number to Khomeini’s office. See Figures 12 and 13 below.
Cyber-attacks on critical infrastructure can result in loss of life, monetary losses, and reputational damage and can spark significant events within the country that can impact the economy overall.
Due to cyber-attack on assets of critical infrastructure environment, industrial operations can be temporarily or permanently stopped, which can cause trouble in the entire supply chain.
At times of war, a single failure within the critical sector can impact the military operations; hence, state-sponsored actors are actively targeting these sectors.
Threat groups can easily inflict chaos on the public if they launch a cyber-attack on critical sectors.
The recent attack on the steel industry indicates that hacktivists, APTs, malicious hackers, etc., are actively scanning critical sector assets. The attacks launched on critical sector organizations are getting more refined and politically motivated. Outdated software is still a major factor in the success of these attacks and the vulnerability of these entities.
Organizations dealing in critical infrastructure should thus immediately look into their exposure and vulnerable assets.
1. Limit exposure of critical assets over the internet by implementing proper network segmentation.
2. In a recent trend observed, hackers and hacktivists are targeting the exposed assets of organizations, including CCTV, Printers, VOIP devices, Routers, etc. Ensure that the Internet of Things (IoT devices) used by the Organization are not exposed over the internet and are network segmented so that intruders cannot perform a lateral movement from the corporate network to the operational/control network.
3. keep track of patches and updates released by Industrial Control System (ICS) vendors.
4. Utilize software bill of materials (SBOM) to better understand and visualize assets being utilized within the organizations. SBOM can be crucial in narrowing down the vulnerable assets used in the IT/OT environment.
5. Keep all critical assets behind a firewall.
6. Monitor logs for tracking any suspicious activities.
7. Make sure the Organization’s hardware and software are updated with the latest version provided by a trusted source or official vendor.
8. Follow a strong password policy within the Organization. Also, default/factory-set passwords for ICS components should be changed immediately.
9. Implement and follow the Zero trust policy.
10. Regular Vulnerability assessment and Penetration Testing policies (VAPT) and Audits are necessary for eliminating weak security points within the organization.
11. Employees must go through cybersecurity awareness training programs to keep themselves updated with the latest trends.